Ubisoft accidentally installed a backdoor with its DRM

Ubisoft's DRM had a vulnerability in its browser plug-in which has now been patched.

@tracehagan
Published Mon, Jul 30 2012 1:29 PM CDT   |   Updated Tue, Nov 3 2020 12:27 PM CST

Earlier today, stories were hitting the web that Ubisoft's DRM installed a browser plug-in that contained a backdoor. Ubisoft acted quickly and has released a patch to fix the security hole as it turns out that the backdoor was an accident and was in no way meant to be there, or at least not exploitable as it was.

Ubisoft accidentally installed a backdoor with its DRM | TweakTown.com

Tavis Ormandy, a Google security engineer, found the backdoor and wrote about it on the Seclists.org mailing list on Sunday. Mr. Ormandy went as far as to post a few lines of Javascript as an untested proof of concept. This morning, the story made it onto Hacker News along with a working proof of concept.

The list of games which come with Uplay, and the vulnerability, are as follows:

Assassin's Creed II

Assassin's Creed: Brotherhood

Assassin's Creed: Project Legacy

Assassin's Creed Revelations

Assassin's Creed III

Beowulf: The Game

Brothers in Arms: Furious 4

Call of Juarez: The Cartel

Driver: San Francisco

Heroes of Might and Magic VI

Just Dance 3

Prince of Persia: The Forgotten Sands

Pure Football

R.U.S.E.

Shaun White Skateboarding

Silent Hunter 5: Battle of the Atlantic

The Settlers 7: Paths to a Kingdom

Tom Clancy's H.A.W.X. 2

Tom Clancy's Ghost Recon: Future Soldier

Tom Clancy's Splinter Cell: Conviction

Your Shape: Fitness Evolved

Ubisoft has issued a statement regarding the vulnerability. They say that a patch has been provided and is a forced patch. It's important to update now that the proof of concept has been released. The statement is below for your viewing pleasure:

We have made a forced patch to correct the flaw in the browser plug-in for the Uplay PC application that was brought to our attention earlier today. We recommend that all Uplay users update their Uplay PC application without a Web browser open. This will allow the plug-in to update correctly. An updated version of the Uplay PC installer with the patch also is available from Uplay.com.

Ubisoft takes security issues very seriously, and we will continue to monitor all reports of vulnerabilities within our software and take swift action to resolve such issues.

NEWS SOURCE:techreport.com

Trace is a starving college student studying Computer Science. He has a love of the English language and an addiction for new technology and speculation. When he's not writing, studying, or going to class, he can be found on the soccer pitch, both playing and coaching, or on the mountain snowboarding.

Newsletter Subscription

Related Tags

Newsletter Subscription
Latest News
View More News
Latest Reviews
View More Reviews
Latest Articles
View More Articles